Security

EXPERT ADVICE

Easing the Throb of Mobile Security Headaches

There is no denying that mobile devices like tablets are changing the way we communicate, work and share information on the go — it’s the next logical step in the “post-PC” world. In fact, 200 million tablets could be sold annually by 2014, according to predictions, and cloud-based services are becoming a key feature for consumers.

In addition to an increase in cloud-based services, there is a surge in multiple mobile devices — with consumers not only using several at one time, but also switching between them throughout the day. C-level executives are a key driver, especially as tablets continue to grow in popularity and are added to the “workforce arsenal” that already includes PCs and BlackBerry devices.

Whatever device is being used, consumers are starting to expect data and application continuity when switching between tablets, smartphones and laptops, which further feeds the demand for cloud-based services. When applications and data are accessed and stored in the cloud, the transition from one device to another is seamless, guaranteeing users’ continuity without any problems.

Organizations are realizing that beyond cost efficiencies, they can leverage the advantages of data and application continuity in the cloud to provide employees with greater flexibility. However, this new environment, though convenient, poses several security challenges — such as blurring the lines between private and company-issued devices.

As employees increasingly use personal devices to access and store sensitive corporate resources and data, organizations need to address key security issues that until now did not pose a significant challenge.

End-Point Device Security

The need for end-point device security is not new and is recognized by most businesses. Until recently, though, the primary device used to access the corporate Virtual Private Network (VPN) by employees from outside the office was a corporate-issued laptop. When all laptops were centrally issued and managed by the IT department, it was relatively easy to implement standard security policies throughout the organization, and to manage the devices employees were using to access corporate applications and data.

Today, however, when employees are bringing personal tablets and smartphones into the office, organizations are having a more difficult time ensuring the devices are trusted. Companies are facing a situation in which data protection, network protection and identity protection are becoming much more complex.

When both private and corporate data is stored on the same device, it becomes a data container that is vulnerable to data leakage. As a result, when employees use personal devices to access core business applications that reside in the cloud, how can organizations ensure that the device won’t be used by unauthorized personnel to penetrate the organization? How can they make sure that passwords stored on a device are protected, and cannot be hacked or stolen for perpetrating identity theft?

Mobile Access and Cloud Security

In parallel to the security vulnerabilities surrounding mobile devices, there are also key security issues related to cloud applications. These issues relate to the challenges of protecting data in a multitenant environment, as well as to the need to secure applications residing in the cloud and protect virtual machines and instances — not to mention the need to secure access to core business applications such as CRM and email.

As organizations transition to the cloud and simultaneously witness a surge in the number and variety of mobile devices being used by employees and managers, they are facing a convergence of both end-point and cloud-related security issues.

To address these issues, organizations need to think about how they can protect identities by maintaining the integrity of credentials stored on the device, and how they can protect cloud-based applications and data by preventing unauthorized access from mobile devices.

Moreover, the complexity of these security demands and the need for IT departments to adopt new security mechanisms have operational implications for IT staff tasked with implementing and managing these new security policies.

Mobile Device Identity Protection

One way organizations can implement security mechanisms for mobile devices is to establish a framework that supports credential life cycle management and automatic certificate provisioning to mobile devices. These mechanisms ensure that only authenticated users with a trusted device can access corporate information and applications.

By embedding a personalized configuration profile on an employee’s mobile device, organizations can implement personal security credentials to each device and thus require employees to authenticate with their personal profile when accessing corporate resources.

When logging on to corporate systems, only those users with a certificate on their device (something they have), combined with the certificate password (something they know) are granted access. Moreover, by eliminating the need for passwords, strong authentication significantly reduces the vulnerabilities associated with password caching on mobile devices and lowers the risk of identity fraud that result from password theft.

With this type of solution, IT staff can provision several certificates to a single mobile device and specify which resources can be accessed. These may include network access via VPN, Microsoft Exchange and WPA2 enterprise WiFi networks.

Cloud-Access Protection

For cloud access security, organizations can use identity federation combined with strong authentication to ensure that only authorized personnel are accessing sensitive SaaS services. Through use of the Security Assertion Markup Language (SAML) protocol, organizations can extend the identities of employees to cloud-based applications.

Employees use a dynamic one-time passcode (instead of the password stored on their mobile device) to remotely access corporate resources that are stored in the company’s data center and those that are hosted in the cloud.

Passcodes can be generated either by a software authentication application installed on an employee’s mobile device or, if preferred, on a hardware authentication device that is issued separately. Beyond ensuring secure access, this solution also offers single sign-on, which is easier for employees, as they can use the same logon credentials for all remote applications.

Integrated Management

It is up to IT departments to implement security access policies that can keep pace with new technology and mobile trends. However, investing in security can be costly, especially if organizations have to purchase, implement and integrate several different applications from different vendors, each of which only offers a single component of their required security solution.

Strong authentication, implemented on mobile devices in the form of personalized credentials and extended to cloud applications using identity federation, offers organizations a flexible, yet highly secure framework that can extend security mechanisms to employees’ mobile end-point devices, as well as core corporate applications that have migrated to the cloud.

Solutions, which are based on a single and versatile authentication server that offers wide platform support, present the added benefit of being easier to manage and implement, as well as being far more cost-effective.

Letting Organizations Play to Their Strengths

Being able to issue personalized credentials to mobile devices and ensure secure access to cloud-based applications through strong authentication helps IT staff to prevent security malaise. Moreover, it enables organizations to be proactive in a world where technological developments are often lagging — or worse, still responding retroactively to security breaches or data loss.

By implementing a strong security posture, organizations increase strength, receive maximum benefits from the new technologies, and offer employees a more flexible work environment, which ultimately leads to greater job satisfaction and productivity.

Andrew Young is director of product management for SafeNet, an information security provider.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels